Centralizing Storage of Authorized Keys

If you need to manage many users across different systems, you might consider centralizing the storage of the authorized keys. Maintaining a single central resource for authorized_keys makes it easier to perform administration tasks, for example revoking old keys or adding new keys for sets of servers.

A common approach would be to configure the SSH server to use the System Security Services Daemon to access keys stored in a central location such as an LDAP or Identity Management (IPA) service. To configure user authentication against these services, see one of the following links:

• Oracle Linux 8: Setting Up System Users and Authentication

• Oracle Linux 9: Setting Up System Users and Authentication

• Oracle Linux 10: Setting Up System Users and Authentication

OpenSSH provides a tool to use SSSD to maintain and automatically update a separate cache of public keys when authenticating users. The sss_ssh_authorizedkeys command is responsible for retrieving a user's public key from the user entries in an Identity Management (IPA) domain. After the key is retrieved, the key is stored in the $HOME/.ssh/sss_authorized_keys, in the standard authorized keys format.

To configure the SSH server to use SSSD to retrieve public keys for users, edit /etc/ssh/sshd_config and verify that the following entries are present:

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

If you have edited the server configuration, you must restart the service:

sudo systemctl restart sshd

SSD must already be configured and running and the keys must be stored appropriately so that SSH can use the service.

See the sss_ssh_authorizedkeys(1) manual page for more information.